More On: Project Zero
Google advises protecting against remotely exploitable vulnerabilities in popular Android phones
Google's security research unit, Project Zero, has raised concerns about a series of vulnerabilities discovered in Samsung chips used in multiple Android models, wearables, and vehicles.
The research team discovered 18 zero-day vulnerabilities in Exynos modems produced by Samsung, including four high-severity flaws that could allow attackers to compromise affected devices "silently and remotely" over cellular networks.
According to Tim Willis, the head of Project Zero, the four vulnerabilities could enable attackers to remotely compromise a phone at the baseband level with no user interaction, requiring only knowledge of the victim's phone number. By gaining access to a device's baseband level, attackers could access the data flowing in and out of the device, including cellular calls, text messages, and cell data, without alerting the user.
This discovery raises concerns about the potential for widespread exploitation of these vulnerabilities, and highlights the importance of prompt action to address the issue. The affected devices are used by a significant number of people, making it imperative for Samsung and other relevant parties to work quickly to develop and distribute patches to protect users' security and privacy.
It is highly unusual for Google or any security research firm to raise an alarm on high-severity vulnerabilities before they are fixed. In this case, Google has publicly stated that skilled attackers could quickly exploit the vulnerabilities with limited research and effort, thereby putting the public at risk.
Maddie Stone, a researcher at Project Zero, took to Twitter to state that Samsung had been given a 90-day window to address the vulnerabilities, but has not yet done so.
Samsung did confirm that several Exynos modems are susceptible to the vulnerabilities in a March 2023 security listing, but provided scant details. According to Project Zero, almost a dozen Samsung models, as well as Vivo devices, and Google's own Pixel 6 and Pixel 7 handsets, have been impacted. Wearables and vehicles that rely on Exynos chips for connecting to cellular networks have also been affected.
Given the number and variety of devices impacted, it is imperative that Samsung and other manufacturers take swift action to patch the vulnerabilities and secure their customers' privacy and security.
Google has provided a list of devices that are affected by the security vulnerabilities found in Samsung's Exynos modems.
The list includes various Samsung models such as S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series.
It also includes Vivo mobile devices like S16, S15, S6, X70, X60, and X30 series, as well as Google Pixel 6 and Pixel 7 series.
Additionally, connected vehicles that use the Exynos Auto T5123 chipset are also affected.
Google mentioned that patches for the vulnerabilities will differ depending on the manufacturer, but its Pixel devices have already received the necessary updates through the March security patch. Google advised users to turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings to mitigate the risk of exploitation until manufacturers release patches.
Furthermore, Google noted that the remaining 14 vulnerabilities found were less severe as they required device access or insider or privileged access to a cell carrier's systems.
